Hi,
Not any great hazard, I believe, if it means that user can normally get all the
features, but only a subset when filter is set. It is different case if DATA
clause is manipulated, and therefore that must be connected to DATAPATTERN.
-Jukka Rahkonen-
________________________________
Lähettäjä: [email protected]
[mailto:[email protected]] Puolesta [email protected]
Lähetetty: 26. tammikuuta 2009 10:03
Vastaanottaja: MapServer
Aihe: Re: [mapserver-users] Dynamin SQL with mapserver CGI?
Hi
> You can use a replaceable parameter in the FILTER clause if all you
...
This introduces the hazard of SQL-Injection, doesn't it?
Bye
Benedikt Rothe
[email protected] schrieb am 24.01.2009 14:04:42:
> On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <[email protected]>
wrote:
> > Hi all
> > I'm looking for a way to change SQL dynamically via URL parameters.
it
> > sounds from doc that changing DATA element in map file is
impossible. Is
> > there any other way?
>
> You can use a replaceable parameter in the FILTER clause if all you
> want to do is alter the WHERE clause. So for example:
> FILTER "%criteria%"
> and
> criteria=id='value'
> would work with a database like Postgres.
>
> When working with a database you put the whole SQL WHERE clause in the
> FILTER, whereas with shapefiles or ORG data sources you use the
> FILTERITEM and FILTER.
>
> --
> Richard Greenwood
> [email protected]
> www.greenwoodmap.com
> _______________________________________________
> mapserver-users mailing list
> [email protected]
> http://lists.osgeo.org/mailman/listinfo/mapserver-users
_______________________________________________
mapserver-users mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/mapserver-users
